When ILS Hacks You 


JOSHUA MADDUX 


Demo 


% Terminal Shell Edit View Window Help O 7 UZ = 7*8 Thu12:06 AM Joshua Maddux A ® = 


eoo fi josh 一 -bash — 84x22 
| x ~ 一 -bash 


Joshuas-MacBook-Air:~ josh$ B x 


Overview 


» Where | Started 
» Testing Approach 
» Implications 
» Concrete Vulnerabilities 
» Defense 
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Getting around limitations 


Past approaches 


Weird protocols SNI injection 
> gopher://localhost:11211/ » htips://127.0.0.1 ZOD%ZOAHELO 
_%0aset%20f00%20... orange. tw%ODZOAMAIL 
Doesn't work against FROM...:25/ 
modern libraries - From Orange Tsai's talk "A new 
era of SSRF" 
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- Really cool, but depends on 
specific bugs 
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No. Time Source 
5215 291. /394/9443 192.168.1.13 192.38.255.112 
3242 292.029936053 192.168.1.13 | _ 185.199.111.154 


Destination Protocol Lengt 


TLSv1.3 28 


| TLSv1.2 65 
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Server Name list length: 26 
Server Name Type: host name (0) 
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No. Time Source Destination Protocol ^ Length Full 
9215 241.733147u443 182.158.1.13 132.368.255.112 TLSv1.3 283 
185.199.111.154 TLSv1.2 652 


Random Bytes: 4f82a084a4e441e2c776f0fb53f11c66fb2725f7c705480a... 
Session ID Length: 32 
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for(i = 0; i < data-»set.general ssl.max ssl sessions; i++) | 
check = ádata->state.session[i]; 
if(!check->sessionid) 
/* not session ID means blank entry */ 
N continue; 
if(strcasecompare(name, check->name) && 
((!conn->bits.conn to host 88 !check-»conn to host) || 
Tə »bits.conn to host 848% check-»conn to host 4% 
strcasecompare(conn->conn to host.name, check->conn to host))) 88 
((!conn->bits.conn to port 88 check->conn to port == -1) || 
(conn-»bits.conn to port && check->conn to port !- -1 BR 
N conn->conn_to port == check->conn_to port)) 88 
NS cer: == check->remote port) 88 


strcasecompare(conn-»handler-»scheme, check->scheme) 88 


Curl ssl config matches(ssl config, &check-»ssl config)) 4 


/* information stored about one single 55L session */ 

struct curl ssl session | 

“A char "name ; /* host name for which this ID was used */ 

“A char *conn to host; /* host name for the connection (may be NULL) */ 
Mont char *scheme; /" protocol scheme used */ 


void *sessionid; /" as returned from the 55L layer "/ 


size_t idsize; /* if known, otherwise 0 */ 
long age; /* just a number, the higher the more recent */ 


int remote port;  /* remote port */ 
M int conn to port; /* remote port for the connection (may be -1) */ 
struct ssl primary config ssl config; /" setup for this session "/ 
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Testing 
approach 


IP of Custom ILS box 
127.0.0.1 


IP of Custom ILS box 
IP of Netcat box 


Code available at: 
nttos://gltnub.com/jmdx/TL$S-polson 


Alternating Fork of hitos://githulb.com/SySS-Research/dns-mitm 


DNS Server 


Fork of https://github.com/ctz/rustls 
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I Thanks to Akash Idnani for writing the redis-based 
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Implications 


What's now vulnerable 


OIDC discovery surprisingly common 


(sometimes) | 
Webpush « SVG conversion 
Webmention e URL-based XXE 
e Scraping 
Apple Pay Web oo 


In browsers, just 
phishing people 
(Then we call it 
CSRF) 
e Wifi captive 
portals 
SSDH 


PDF renderers with images 
enabled 


Outbound 
TLS 
sessions 


Stuff on 
local ports 


Getting 
more 
common 


What things 


cache TLS 
sessions? 


HTTPS Client 


library/application 


Java 
HttpsUrl Connection 


Webkit 
Chrome 


Firefox 


Curl/libcurl 
IOS, Android SSDP 


Python 'requests' 
package 


Go http client 


node-fetch, axios 


Can haxx 
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Not yet 


Yes 


Caches by IP adaress, 
not domain (should 
be both) 


Open issue on github 
to cache sessions 


Node has built-in 
cache 


What stuff? 


Internal SSRF Targets 


Package Susceptible? Notes 

Memcached Yes Common Route to RCE! 

Hazelcast MES Commonin Java apps 

Redis No Closes connections after null bytes 

SMTP Yes All implementationsl've seen 

rit MES All implementationsl've seen 

Mysql, Postgres, etc. Maybe Let me know if you make this 
happen 

FastCGl Maybe 

Zabbix No Similarreasons as redis 


Syslog Yes Less severe 


Concrete 
Vulnerabilities 


Real-world SSRF: Youtrack 


JET 
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Search this blog 


| Search 


JetBrains Security Bulletin Q3 2019 ico 


Posted on October 29, 2019 by Robert Demmer 


In the third quarter of 2019, we resolved a series of security issues in our products 


Here's a summary report that contains a description of each issue and the version in which it 
was resolved. 


Product Description Severity Resolved in CVE/CWE 


2019.1.11738 


You Track arbitrary spam email from a 


CHE 


4156, ADM-158 


000001a0: 
000001b0: 
000001c0: 
00000140: 
000001e0: 
000001f0: 
00000200: 
00000210: 
00000220: 


ff01 
4120 
4d341 
406a 
5243 
7468 
4154 
6272 
0000 


0001 
6a65 
494c 
6574 
5054 
6963 
410a 
6169 
0000 


0000 
7462 
2046 
6272 
2054 
616c 
5375 
6e73 
0000 


2900 
7261 
524f 
6169 
of3a 
4070 
626a 
0a48 
0000 


ab00 
696e 
4d3a 
6e73 
203c 
6663 
6563 
656c 
0000 


8600 
732e 
203c 
2e63 
6a6f 
2e69 
743a 
6c6f 
0000 


8048 
636f 
7465 
6£6d 
7368 
6f3e 
204a 
Dale 
0048 


O jetbrains.com. 
MALL FROM: <test 
@jetbrains.com>. 
RCPT To: <joshte 
thical@pkc.io>.D 
ATA.Subject: Jet 
brains.Hello.... 


Jetbrains 2 spam x 


A test@jetbrains.com 4:51 PM (0 minutes ago) 
to v 


test@jetbrains.com 


A Sep 4, 2019, 4:51 PM 


Jetbrains 


a Standard encryption (TLS) Learn 
more 
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Real-world SSRF: Nextcloud 


» Federated sharing 
» Osomeonedexample.com 
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» Federated sharing 
> @someone@example.com 
> @someone@example.com:1121 1 


Real-world SSRF: Nextcloud 


» Federated sharing 
> @someone@example.com 
> @someone@example.com:1 1211 
> Use TLS rebinding, write to memcached! 


Real-world SSRF: Nextcloud 


» Federated sharing 
> @someone@example.com 
> @someone@example.com:1 121 1 
» Use TLS rebinding, write fo memcached! 
» Fix: no great options 


»Still added a request timeout and gave me a 
bounty 


Demo: Phishing->CSRF->RCE 


» Assumptions 


> Victim is a developer for a project that makes use of 
django.core.cacne, configured to use memcached 


» Victim views web-based emails in a susceptible 
browser like Chrome 


» Attacker knows/guesses this 
» Victim is smart enough not to download attachments 


import sys 


from django.conf import settings 

from django.conf.urls import url 

from django.core.management import execute_from_command_line 
from django.http import HttpResponse 

from django.core.cache import cache as django_cache 


settings.configure( 
DEBUG=True, 
ROOT. URLCONF=sys.modules[. name. ], 
CACHES = 4 
'default': 4 
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 
'LOCATION': '127.0.0.1:11211', 
hh 
kr 


rate limited sloth() 


ke © 


settings.configure( 
DEBUGzTrue, 
ROOT URLCONFzsys.modules[ name )l, 
CACHES z ( 
"default": 1 
" BACKEND" : 'django.core.cache.backends.memcached.MemcachedCache', 
"LOCATION': "127.0.0.1:11211", 


rate limited sloth(reguest): 


was visited z django cache.get( page hits", False) 


diango cache.set( page hits", True, timeout=3) 
if was visited: 

return HttpResponse('<h1>The sloth needs to sleep for 3 seconds.</h1>') 
return HttpResponse(u'<div style-"font-size: 50vh"5NXU0001f9a54/div?") 


Further work 


» Chain with memory 
corruption 


» NAT pinning 
» DOS amplification 


» High amplification 
factors? 


» Better testing 
infrastructure 


> infrastructure-as-code 


» Image-based CSRF on 
bad IOT devices 


» telnet? 


» Hit internal HTTP servers 
with a session ticket 
payload 


» Attack message queues 


» Correct me - my DM's are 
open @joshmdx 


My proposal for TLS clients 


» Change cache key 
» Currently: (nostname, pori) 
> Better: (hostname, port, ip addr) 


My proposal for TLS clients 


» Change cache key 
» Currently: (hostname, port) 
> Better: (hostname, port, ip addr) 
» If you care about big TLS deployments 
> (hostname, port, addr type(ip addr)) 
»Similar to https://wicg.githnub.io/cors-rfc 1918/ 


»Credit to chromium team 


Security costs of TLS session resumption 


» "Measuring the Security Harm of TLS Crypto 
Shortcuts” 


» Detrimental to PFS 


» “Tracking Users across the Web via TLS Session 
Resumption" 


» Detrimental to privacy 


» "Insecure ILS session reuse can lead to 
hostname verification bypass" - NodeJS 
> complexity = bugs 

» Also everything in the previous slides 


Benefit of TLS session resumption 


» Full handshake: -2x real time, -23x CPU time 


ə https://blog.cloudflare.com/tls-session- 
resumption-full-speed-and-secure/ 


Benefit of TLS session resumption 


» Full handshake: -2x real time, -23x CPU time 


ə https://blog.cloudflare.com/tls-session- 
resumption-full-speed-and-secure/ 


» Might not care if you're a: 
» Regular internet user 
» Web application making API calls 


Disabling outbouna TLS session 
resumption 


> libcurl: CURLOPT SSL SESSIONID CACHE=false 

> firefox: security.ssl.disable session identifiers-true 
» Tor browser: disabled by default 

» Java, Nodejs, Chrome, others: no option & 


For web apps that can't disable if Ok 


» Careful around stuff like webhooks, apple pay 
» Set up a proxy for outbound requests, e.g. 


https://github.com/stripe/smokescreen 


» Avoid running unauthenticated internal TCP stuff, 
especially if it's newline-delimited 


Takeaways 


» Modern TLS is useful for SSRF attacks 


» Following the latest specs is a good way to 
break things 


» We need to reconsider the merits of TLS session 
resumption 


Thank you! 


Joshua Maddux, Gjoshmdx 
Security Engineer - latacora.com - security teams for startups 


